New PowerShell-based Backdoor points to MuddyWater

Malware researchers at Trend Micro have discovered a Powershell-based backdoor that is very similar to a malware used by MuddyWater APT group.

The first MuddyWater campaign was observed in late 2017, then researchers from Palo Alto Networks were investigating a mysterious wave of attacks in the Middle East.

The experts called the campaign ‘MuddyWater’ due to the confusion in attributing these attacks that took place between February and October 2017 targeting entities in Saudi Arabia, Iraq, Israel, United Arab Emirates, Georgia, India, Pakistan, Turkey, and the United States to date.

Threat actors used PowerShell-based first stage backdoor named POWERSTATS, across the time the hackers changed tools and techniques.

In March 2018, experts at FireEye uncovered a massive phishing campaign conducted by TEMP.Zagros group (another name used by the experts to track the MuddyWater), targeting Asia and Middle East regions from January 2018 to March 2018.

In the latest attacks detected by Trend Micro, threat actors used TTPs compatible with MuddyWater, the malicious code was uploaded to Virus Total from Turkey. The attackers used decoy documents that would drop a new PowerShell backdoor that is similar to MuddyWater’s POWERSTATS malware.

“These documents are named Raport.doc or Gizli Raport.doc (titles mean “Report” or “Secret Report” in Turkish) and maliyeraporti (Gizli Bilgisi).doc (“finance (Confidential Information)” in Turkish) — all of which were uploaded to Virus Total from Turkey.” states Trend Micro.

“Our analysis revealed that they drop a new backdoor, which is written in PowerShell as MuddyWater’s known POWERSTATS backdoor. But, unlike previous incidents using POWERSTATS, the command and control (C&C) communication and data exfiltration in this case is done by using the API of a cloud file hosting provider.”

The new backdoor uses the API of a cloud file hosting provider to implement command and control (C&C) communication and data exfiltration.

The weaponized documents contain images showing blurry logos belonging to some Turkish government organizations, they trick victims into enabling macros to display the document properly.

The macros contain strings encoded in base52, a technique that is not common and that was used by MuddyWater in past attacks. Once enabled, the macros will drop a .dll file (with a PowerShell code embedded) and a .reg file into %temp%directory.

The PowerShell code has several layers of obfuscation, the backdoor initially collects the system information and concatenates various pieces of information (i.e. OS name, domain name, user name, IP address) into one long string.

For communication, the malware uses files named <md5(hard disk serial number)> with various extensions associated with the purpose of the file:

.cmd – text file with a command to execute

.reg – system info as generated by myinfo() function, see screenshot above

.prc – output of the executed .cmd file, stored on local machine only

.res – output of the executed .cmd file, stored on cloud storage

“In both the older version of the MuddyWater backdoor and this recent backdoor, these files are used as an asynchronous mechanism instead of connecting directly to the machine and issuing a command.” continues the experts.

“The malware operator leaves a command to execute in a .cmd file, and comes back later to retrieve the .res files containing the result of the issued command.”